Information Security Incident Response

Posted by Winnie Melda on November 19th, 2018

Introduction

One of the most essential resources of any organization and which should always be handled with sufficient care is information. Computer technology to evict the manual office work and due to its accuracy and ease of data retrieval, it has been adopted by almost every company existing within the era (Dark, 2011). These computers have come with other advantages such as enhancing communication and today business is done at ease. This is an era when business partners do not need to meet often since they can converse and transact online. Systems have been designed in order to share the same networks and time-sharing processes. Nevertheless, with this technology come disadvantages and threats. Information is at risk of access by hackers and terrorists for malicious purposes. These criminal organizations have used this information to conduct illicit actions such as defacing names of companies which fail to act to their demands.  In that case, however, irrelevant information may seem, its protection is crucial in the age of the cloud, and new policies need to address the best approaches to use in order to assess the Information Technology (IT) department’s functions (Koyuncugil & Ozgulbas, 2011).

This is an incident paper and describes an information fraud incident, the impact of this incident, reasons for its happening, the probability of recurrence of a similar incident and a plan of actions to prevent it from happening again.

What happened?

Data confidentiality implies the protection of information from view by anybody except the authorized as stated in the confidentiality policy. According to these terms, at no time should such information be disclosed unless such disclosures are in concomitant with the stipulated security measures. The following incident is a breach of the above stipulation. In a typical day, an employee who worked as an administrative manager in the Minnesota Enforcement Division accessed and viewed the Minnesota Department of Motor Vehicles information which composed of confidential information of approximately 5,000 people (Grama, 2014). To aggravate the situation, this access occurred outside the working hours, and as proven, this was done for other purposes no job-related. Sufficient evidence shows that his activities went for long, between January 2008 and October 2012. Following this discovery, he was discharged on January 11, 2013. Essential to state is that the information at stake comprised of drivers’ license data and motor vehicle record information. According to his statement, his actions were just for curiosity and never intended for malicious purposes. However, it was against the company’s information security policy which stipulated that one’s information was to remain confidential to himself and the company and could only be accessed if need be, not for personal businesses but only for the business. Aware of their rights a group of drivers who had their license information inappropriately viewed filed lawsuits against Minnesota on May, 1st 2013.  According to the federal Driver Privacy Protection Act, a 1994 law a penalty of a minimum of ,500 for each violation of Driver’s information access is chargeable to the violator (Dark, 2011).. However, the state requested the federal judge who chaired the hearing of the case to dismiss the motions and to argue that the state was not liable under the federal law to protect the privacy of drivers’ license data. Though the employee responsible for the information breach is facing criminal charges, it is not clear that it was for illicit purposes since there still no evidence linking his access to malicious purposes. On the 7th of August 2013, the lawsuit was filed again. This time, it was filed against other state employees including the employee responsible for the breach. However, the district court dismissed the case on 25th of September 2013. The ruling was that the state agencies are not liable for a rogue employee's actions though the case against the dishonest employee is still active.

Impact of what happened

Though the case does not provide information about the implications this breach of information caused, I think among the impacts of this access could include the following. There are various impacts which can result from the improper access to driver’s information. Apparently these impacts might be either positive or negative. The following are the negative aspects of the implications.  Firstly, the administrative manager could be using this information for business purposes. An example of such a business is selling it to criminal organizations who in turn could be using it to manufacture fake driver’s license for immigrants and other people who have had their banned for various reasons. Due to this, some immigrants who could have lost from their countries would acquire driver’s license without having to undergo feral processes where they could be arraigned. The final result is having illegal drivers reacquire their driving rights against the law (Grama, 2014).  

Secondly, the access to driver’s information could lead to it falling into wrong hands. In these wrong hands, such confidential information could be misused to commit illegal activity such as fraud or discrimination. Such information could be used to the benefit of this manager to earn money through creating ghost workers which he might be using to draw money from the sponsors of the organization (Lehtinen, Russell & Gangemi, 2006). The third negative implication of disclosure of data is sensitive to the employee and management is a loss of employee trust, confidence, and loyalty. As said earlier, most organizations have policies that stipulate that the employees’ data is confidential and kept safe. In any case, this confidentiality is maintained by the organization’s superiors who include the managers who swear an oath of integrity. In the event that these superiors are in the lead to conducting a breach of information confidentiality, then the employees will lose their trust on them. Their levels of confidence towards them get also dwindled. That is why in the case above the drivers feel betrayed and seek the assistance of the court to grant them justice (Dark, 2011).

The impact could also be positive. It could be that the manager worked in liaison with fellow managers and the traffic authorities and was confirming the details of specific drivers who had been noted conducting traffic disarrays and were under investigation. The implication of this could be the determining of the identification of the drivers who misused the company’s vehicles and reporting their details. That would not only lead to the elimination of uncouth drivers but also ensure the safety maintenance of the company’s vehicles (Koyuncugil, & Ozgulbas, 2011)..

 The likelihood of it happening again

Unauthorized access to any form of data labeled confidential or high profile is liable to punishment. As such, there should be a policy which stipulates what happens after a person is caught breaking this rule. Failures to punish such a misdeed make it appear to the onlookers like there are no severe consequences which will follow such an act. As such, other members of the organization might be tempted to do the same as they are not in fear of being punished when caught just like in a certain prior referable case. For the case above, the court keeps denying a hearing which means the victim has not yet been charged (Marcella, & Stucki, 2003). Though the federal Driver Privacy Protection Act, 1994 says it well that it’s wrong to access driver’s information without their consent, the judges fail to act like this law state. It seems like the drivers’ might not enjoy their justice as the court might completely ignore their case. If the courts could have penalized the manager for violation of this law, he could have acted as an exemplary case causing others to fear to do the same. However, because no charges have been filed against the victim, there is thus bound to be other cases in the future similar to this one (Cullen & Gilbert, 2012).

What must be done to prevent it from happening again?

The first thing to do is that the company should reaffirm its policy that regards information access and restates the compliance and non-compliance consequences to any stakeholder. This policy should be implemented and made applicable to all no matter their rank in the company (Marcella & Stucki, 2003). When someone is caught violating this policy, he should be charged in court severely to serve as an exemplary case. Other prompt security measures to the database should be put in place. Examples include securing the database room with electric locks which requires key-combinations and strong padlocks which impede entrance by unauthorized people. Monitoring should regularly be done to ensure data remains as original as it can be (Dark, 2011).

References

Cullen, F. & Gilbert K.(2012). Reaffirming Rehabilitation. NY: Routledge

Dark, M. J. (2011). Information assurance and security ethics in complex systems: Interdisciplinary perspectives. Hershey, PA: Information Science Reference.

Grama J.(2014). Legal Issues in Information Security. Jones & Bartlett Learning

Sherry Roberts is the author of this paper. A senior editor at MeldaResearch.Com in research paper writing help 24 hours if you need a similar paper you can place your order for essay writing services.

Like it? Share it!


Winnie Melda

About the Author

Winnie Melda
Joined: December 7th, 2017
Articles Posted: 364

More by this author